From CCPA to CPRA: California's Privacy Evolution
When California passed the California Consumer Privacy Act (CCPA) in 2018, it was the first comprehensive state privacy law in the nation. Just two years later, California voters approved the California Privacy Rights Act (CPRA) — Proposition 24 — which significantly amended and expanded the original law. The CPRA's substantive provisions took full effect on January 1, 2023, with enforcement beginning July 1, 2023.
For e-commerce businesses, understanding the differences between the original CCPA and the current CPRA framework is essential because many of the "CCPA compliance" steps businesses took in 2020 are no longer sufficient.
Key Differences Between CCPA and CPRA
New Category: Sensitive Personal Information
The CPRA introduced the concept of sensitive personal information (SPI) — a category that did not exist under the original CCPA. SPI includes:
- Social Security numbers, driver's license numbers, and state ID numbers
- Financial account information (account number plus credentials)
- Precise geolocation data
- Racial or ethnic origin, religious beliefs, union membership
- Contents of mail, email, and text messages (unless the business is the intended recipient)
- Genetic data and biometric information
- Health information and sex life/sexual orientation data
Consumers have the right to limit the use and disclosure of SPI to what is necessary to provide the goods or services they requested. For e-commerce stores, this means if you collect any SPI (such as precise geolocation or payment credentials beyond what's needed for the transaction), you must provide a "Limit the Use of My Sensitive Personal Information" link.
The "Share" Concept and Cross-Context Behavioral Advertising
The original CCPA focused on the "sale" of personal information. The CPRA expanded this to include "sharing" — defined as transferring personal information for cross-context behavioral advertising purposes, whether or not money changes hands.
This is a major change for e-commerce businesses because:
- If you use Meta Pixel, Google Analytics, or any retargeting tags, you are likely "sharing" personal information under the CPRA
- You must provide a "Do Not Sell or Share My Personal Information" link (not just "Do Not Sell")
- You must honor opt-out preference signals like the Global Privacy Control (GPC)
The California Privacy Protection Agency (CPPA)
Under the original CCPA, enforcement was solely the domain of the California Attorney General. The CPRA created a brand-new agency — the California Privacy Protection Agency (CPPA) — with dedicated rulemaking and enforcement authority. The CPPA has been actively issuing regulations and pursuing enforcement actions since 2023.
This matters because the CPPA is a proactive regulator. Unlike the AG's office, which balances privacy enforcement against many other priorities, the CPPA's sole mission is privacy. They have issued detailed regulations on topics like opt-out mechanisms, data broker registration, and automated decision-making.
Right to Correct
The CPRA added a right to correction — consumers can now request that a business correct inaccurate personal information. Under the original CCPA, consumers could only request to know or delete their data.
For e-commerce stores, this means you need a process for:
- Receiving correction requests
- Verifying the identity of the requester
- Making reasonable efforts to correct the inaccurate information
- Notifying service providers and contractors of the correction
Data Minimization and Purpose Limitation
The CPRA introduced explicit data minimization requirements. Businesses may only collect personal information that is "reasonably necessary and proportionate" to the purposes for which it was collected or another disclosed, compatible purpose.
This was a significant shift. Under the original CCPA, there was no explicit requirement to limit collection — you just had to disclose what you collected. Now, you must be able to justify why you collect each category of data.
Extended Look-Back and Retention Disclosures
The CPRA requires businesses to disclose how long they retain each category of personal information, or the criteria used to determine retention periods. This must appear in your privacy policy.
For e-commerce stores, you should define and disclose retention periods for:
- Customer account information
- Order and transaction records
- Marketing and analytics data
- Customer support communications
Expanded Contract Requirements
The CPRA significantly expanded the requirements for contracts with service providers, contractors, and third parties who receive personal information. These contracts must now include specific provisions about:
- The business purposes for processing
- Obligations to comply with the CPRA
- Requirements to notify the business of subcontractor engagements
- Rights for the business to audit and remediate non-compliance
What E-Commerce Businesses Should Update
If you built your privacy compliance around the original CCPA, here is what needs updating:
- Privacy policy — Add SPI disclosures, retention periods, and the right to correct
- Opt-out links — Update from "Do Not Sell" to "Do Not Sell or Share My Personal Information"
- Add SPI link — If you collect sensitive personal information, add the "Limit the Use" link
- Honor GPC signals — Implement technical support for the Global Privacy Control browser signal
- Vendor contracts — Update all data processing agreements to meet CPRA requirements
- Data inventory — Document retention periods for each category of personal information
- DSAR processes — Add a workflow for correction requests alongside existing know/delete workflows
The Bottom Line
The CPRA is not just an update to the CCPA — it is a materially more demanding law. The addition of sensitive personal information controls, the expansion of "sharing" to cover behavioral advertising, and the creation of a dedicated enforcement agency have raised the compliance bar significantly. E-commerce businesses that have not revisited their California compliance since 2020 should treat this as an urgent priority.